Intel’s Meltdown and Spectre: How Dome9 is Responding

A couple of recently discovered vulnerabilities in certain processor chips designed by Intel are having a dramatic effect on the computing industry. The vulnerabilities — known as “Meltdown” and “Spectre” — allow applications like JavaScript running in web browsers, or other malware to gain unauthorized access to a computer’s memory. These vulnerabilities could potentially affect anyone with an Intel-powered machine – whether it is a personal computer, mobile phone, or an armada of virtual machines in a cloud environment.

What are Meltdown and Spectre?

Modern processors are designed to perform “speculative execution” (sometimes known as “out-of-order execution”). The processors “speculate” the functions that are expected to run and queues the necessary commands in advance. This technique is used to optimize processor performance. However, it also permits access to normally isolated data.

Meltdown (CVE-2017-5754) – Meltdown exploits a flaw in that speculative execution mechanism. It allows software to read the contents of private kernel memory. It affects every Intel processor released since 1995 (with the exception of the Itanium and pre-2013 Atoms). ARM and AMD processors are not thought to be affected by this vulnerability.

Meltdown can be exploited regardless of the operating system and affects both personal computers and the infrastructure of cloud environments.

Spectre (CVE-2017-5753, CVE-2017-5715) – Spectre can allow attackers to steal information, such as private credentials or passwords, that are stored in the kernel or in the memory of a running program. Spectre reportedly affects Intel, AMD and ARM processors. This vulnerability is also operating system agnostic

The impact of Meltdown and Spectre on Cloud Environments

The infrastructure of cloud environments, like any virtualization environment, is based on physical hosts. Vulnerabilities such as Meltdown can be exploited to access the memory of the virtual machine from the host machine. Attackers could potentially buy space on a vulnerable cloud service and use it to stage an attack against other customers using the same host.

Cloud vendors are taking this matter very seriously.

Amazon has published an extensive update on its efforts to protect its AWS services against Meltdown. It has also published a new bulletin article regarding the newly patched Amazon Linux AMI.

Microsoft also seems to be engaged in an ongoing effort to fix its exposed Azure infrastructure. It too has a guide out explaining how to patch Windows based servers to protect against these new threats.

Google’s “Project Zero” research team was the group that first discovered the Meltdown and Spectre. It published an article to answer questions and provide support.

The impact of the vulnerabilities on Dome9 Systems

Dome9 systems are deployed on AWS and so the Spectre vulnerability has an impact on our operation as well. As a security company and service provider we want to keep our customer’s safe and informed.

Dome9’s CISO, Gil Ohayon, has been closely monitoring the updates by AWS, making sure that our critical systems are patched both internally and by the vendor. The Dome9 Incident Response Team (IRT) has been working around the clock to provide immediate mitigation to the relevant systems in accordance with our Incident Response Policy and Vulnerability Management Policy. The team has also been monitoring system performance to detect any degradations.

Our efforts to make sure Dome9 is no longer exposed to these vulnerabilities also includes updates to the Dome9 Intrusion Detection System (IDS) and Anti-Virus alongside other vendor supplied patches. Our team’s workstations have also been updated with latest OS and browser patches. We are also taking full advantage of vulnerability scanners, such as AWS Inspector.

In addition to taking steps to protect our systems from the exposure to Meltdown and Spectre, Dome9 provides customers with the tools they need to find if they have hosts affected by these vulnerabilities. In a following blog post, we describe how customers can use the Dome9 Compliance Engine with Amazon Inspector to protect their environments.